From d8de1a747eed631b4eb0c85e64987180c72b7fdb Mon Sep 17 00:00:00 2001
From: Kir Kolyshkin <kolyshkin@gmail.com>
Date: Fri, 11 Jun 2021 16:32:40 -0700
Subject: [PATCH] *: stop using pkg/errors

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
---
 go.mod                                        |  1 -
 libcontainer/cgroups/systemd/common.go        |  5 +-
 libcontainer/configs/config.go                |  6 +-
 libcontainer/container_linux.go               | 21 +++---
 libcontainer/factory_linux.go                 | 10 +--
 libcontainer/init_linux.go                    | 23 ++++---
 libcontainer/logs/logs.go                     |  2 +-
 libcontainer/notify_linux_v2.go               |  8 +--
 libcontainer/seccomp/patchbpf/enosys_linux.go | 67 ++++++++++---------
 libcontainer/setns_init_linux.go              | 12 ++--
 libcontainer/standard_init_linux.go           | 38 ++++++-----
 utils.go                                      |  2 -
 utils_linux.go                                | 18 ++---
 13 files changed, 109 insertions(+), 104 deletions(-)

diff --git a/go.mod b/go.mod
index 6262a12198c..ef34af37152 100644
--- a/go.mod
+++ b/go.mod
@@ -15,7 +15,6 @@ require (
 	github.com/mrunalp/fileutils v0.5.0
 	github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417
 	github.com/opencontainers/selinux v1.8.2
-	github.com/pkg/errors v0.9.1
 	github.com/seccomp/libseccomp-golang v0.9.1
 	github.com/sirupsen/logrus v1.8.1
 	github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635
diff --git a/libcontainer/cgroups/systemd/common.go b/libcontainer/cgroups/systemd/common.go
index f2aa3ebad14..6edcaebf76f 100644
--- a/libcontainer/cgroups/systemd/common.go
+++ b/libcontainer/cgroups/systemd/common.go
@@ -436,7 +436,10 @@ func systemdVersionAtoi(verStr string) (int, error) {
 		return 0, fmt.Errorf("can't parse version %s: incorrect number of matches %v", verStr, matches)
 	}
 	ver, err := strconv.Atoi(matches[1])
-	return ver, fmt.Errorf("can't parse version: %w", err)
+	if err != nil {
+		return -1, fmt.Errorf("can't parse version: %w", err)
+	}
+	return ver, nil
 }
 
 func addCpuQuota(cm *dbusConnManager, properties *[]systemdDbus.Property, quota int64, period uint64) {
diff --git a/libcontainer/configs/config.go b/libcontainer/configs/config.go
index d61a6bb80f8..2dad5c8b575 100644
--- a/libcontainer/configs/config.go
+++ b/libcontainer/configs/config.go
@@ -7,10 +7,10 @@ import (
 	"os/exec"
 	"time"
 
+	"github.com/sirupsen/logrus"
+
 	"github.com/opencontainers/runc/libcontainer/devices"
 	"github.com/opencontainers/runtime-spec/specs-go"
-	"github.com/pkg/errors"
-	"github.com/sirupsen/logrus"
 )
 
 type Rlimit struct {
@@ -262,7 +262,7 @@ type Capabilities struct {
 func (hooks HookList) RunHooks(state *specs.State) error {
 	for i, h := range hooks {
 		if err := h.Run(state); err != nil {
-			return errors.Wrapf(err, "Running hook #%d:", i)
+			return fmt.Errorf("error running hook #%d: %w", i, err)
 		}
 	}
 
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
index aca61d0599e..097ac474371 100644
--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
@@ -19,21 +19,20 @@ import (
 	"sync"
 	"time"
 
-	securejoin "github.com/cyphar/filepath-securejoin"
-	"github.com/opencontainers/runc/libcontainer/cgroups"
-	"github.com/opencontainers/runc/libcontainer/configs"
-	"github.com/opencontainers/runc/libcontainer/intelrdt"
-	"github.com/opencontainers/runc/libcontainer/system"
-	"github.com/opencontainers/runc/libcontainer/utils"
-	"github.com/opencontainers/runtime-spec/specs-go"
-
 	"github.com/checkpoint-restore/go-criu/v5"
 	criurpc "github.com/checkpoint-restore/go-criu/v5/rpc"
-	errorsf "github.com/pkg/errors"
+	securejoin "github.com/cyphar/filepath-securejoin"
+	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/sirupsen/logrus"
 	"github.com/vishvananda/netlink/nl"
 	"golang.org/x/sys/unix"
 	"google.golang.org/protobuf/proto"
+
+	"github.com/opencontainers/runc/libcontainer/cgroups"
+	"github.com/opencontainers/runc/libcontainer/configs"
+	"github.com/opencontainers/runc/libcontainer/intelrdt"
+	"github.com/opencontainers/runc/libcontainer/system"
+	"github.com/opencontainers/runc/libcontainer/utils"
 )
 
 const stdioFdCount = 3
@@ -390,7 +389,7 @@ func (c *linuxContainer) start(process *Process) (retErr error) {
 
 			if err := c.config.Hooks[configs.Poststart].RunHooks(s); err != nil {
 				if err := ignoreTerminateErrors(parent.terminate()); err != nil {
-					logrus.Warn(errorsf.Wrapf(err, "Running Poststart hook"))
+					logrus.Warn(fmt.Errorf("error running poststart hook: %w", err))
 				}
 				return err
 			}
@@ -1283,7 +1282,7 @@ func (c *linuxContainer) prepareCriuRestoreMounts(mounts []*configs.Mount) error
 			if m.Device == "bind" {
 				if err := utils.WithProcfd(c.config.Rootfs, m.Destination, func(procfd string) error {
 					if err := unix.Mount(m.Source, procfd, "", unix.MS_BIND|unix.MS_REC, ""); err != nil {
-						return errorsf.Wrapf(err, "unable to bind mount %q to %q (through %q)", m.Source, m.Destination, procfd)
+						return fmt.Errorf("unable to bind mount %q to %q (through %q): %w", m.Source, m.Destination, procfd, err)
 					}
 					return nil
 				}); err != nil {
diff --git a/libcontainer/factory_linux.go b/libcontainer/factory_linux.go
index 1cc126133f9..31057558965 100644
--- a/libcontainer/factory_linux.go
+++ b/libcontainer/factory_linux.go
@@ -4,6 +4,7 @@ package libcontainer
 
 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"os"
 	"path/filepath"
@@ -13,6 +14,8 @@ import (
 
 	securejoin "github.com/cyphar/filepath-securejoin"
 	"github.com/moby/sys/mountinfo"
+	"golang.org/x/sys/unix"
+
 	"github.com/opencontainers/runc/libcontainer/cgroups"
 	"github.com/opencontainers/runc/libcontainer/cgroups/fs"
 	"github.com/opencontainers/runc/libcontainer/cgroups/fs2"
@@ -21,9 +24,6 @@ import (
 	"github.com/opencontainers/runc/libcontainer/configs/validate"
 	"github.com/opencontainers/runc/libcontainer/intelrdt"
 	"github.com/opencontainers/runc/libcontainer/utils"
-	"github.com/pkg/errors"
-
-	"golang.org/x/sys/unix"
 )
 
 const (
@@ -59,13 +59,13 @@ func getUnifiedPath(paths map[string]string) string {
 		if path == "" {
 			path = v
 		} else if v != path {
-			panic(errors.Errorf("expected %q path to be unified path %q, got %q", k, path, v))
+			panic(fmt.Errorf("expected %q path to be unified path %q, got %q", k, path, v))
 		}
 	}
 	// can be empty
 	if path != "" {
 		if filepath.Clean(path) != path || !filepath.IsAbs(path) {
-			panic(errors.Errorf("invalid dir path %q", path))
+			panic(fmt.Errorf("invalid dir path %q", path))
 		}
 	}
 
diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go
index 54c35207a0a..985c9250403 100644
--- a/libcontainer/init_linux.go
+++ b/libcontainer/init_linux.go
@@ -5,6 +5,7 @@ package libcontainer
 import (
 	"bytes"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"io/ioutil"
@@ -14,17 +15,17 @@ import (
 	"unsafe"
 
 	"github.com/containerd/console"
+	"github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/sirupsen/logrus"
+	"github.com/vishvananda/netlink"
+	"golang.org/x/sys/unix"
+
 	"github.com/opencontainers/runc/libcontainer/capabilities"
 	"github.com/opencontainers/runc/libcontainer/cgroups"
 	"github.com/opencontainers/runc/libcontainer/configs"
 	"github.com/opencontainers/runc/libcontainer/system"
 	"github.com/opencontainers/runc/libcontainer/user"
 	"github.com/opencontainers/runc/libcontainer/utils"
-	"github.com/opencontainers/runtime-spec/specs-go"
-	"github.com/pkg/errors"
-	"github.com/sirupsen/logrus"
-	"github.com/vishvananda/netlink"
-	"golang.org/x/sys/unix"
 )
 
 type initType string
@@ -139,7 +140,7 @@ func finalizeNamespace(config *initConfig) error {
 	// inherited are marked close-on-exec so they stay out of the
 	// container
 	if err := utils.CloseExecFrom(config.PassedFilesCount + 3); err != nil {
-		return errors.Wrap(err, "close exec fds")
+		return fmt.Errorf("error closing exec fds: %w", err)
 	}
 
 	// we only do chdir if it's specified
@@ -174,14 +175,14 @@ func finalizeNamespace(config *initConfig) error {
 	}
 	// drop capabilities in bounding set before changing user
 	if err := w.ApplyBoundingSet(); err != nil {
-		return errors.Wrap(err, "apply bounding set")
+		return fmt.Errorf("unable to apply bounding set: %w", err)
 	}
 	// preserve existing capabilities while we change users
 	if err := system.SetKeepCaps(); err != nil {
-		return errors.Wrap(err, "set keep caps")
+		return fmt.Errorf("unable to set keep caps: %w", err)
 	}
 	if err := setupUser(config); err != nil {
-		return errors.Wrap(err, "setup user")
+		return fmt.Errorf("unable to setup user: %w", err)
 	}
 	// Change working directory AFTER the user has been set up, if we haven't done it yet.
 	if doChdir {
@@ -190,10 +191,10 @@ func finalizeNamespace(config *initConfig) error {
 		}
 	}
 	if err := system.ClearKeepCaps(); err != nil {
-		return errors.Wrap(err, "clear keep caps")
+		return fmt.Errorf("unable to clear keep caps: %w", err)
 	}
 	if err := w.ApplyCaps(); err != nil {
-		return errors.Wrap(err, "apply caps")
+		return fmt.Errorf("unable to apply caps: %w", err)
 	}
 	return nil
 }
diff --git a/libcontainer/logs/logs.go b/libcontainer/logs/logs.go
index 6610a1aaeea..07592176b51 100644
--- a/libcontainer/logs/logs.go
+++ b/libcontainer/logs/logs.go
@@ -3,12 +3,12 @@ package logs
 import (
 	"bufio"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"os"
 	"sync"
 
-	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )
 
diff --git a/libcontainer/notify_linux_v2.go b/libcontainer/notify_linux_v2.go
index dd0ec290ecf..8db3ac23d1b 100644
--- a/libcontainer/notify_linux_v2.go
+++ b/libcontainer/notify_linux_v2.go
@@ -3,11 +3,11 @@
 package libcontainer
 
 import (
+	"fmt"
 	"path/filepath"
 	"unsafe"
 
 	"github.com/opencontainers/runc/libcontainer/cgroups/fscommon"
-	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
 )
@@ -15,19 +15,19 @@ import (
 func registerMemoryEventV2(cgDir, evName, cgEvName string) (<-chan struct{}, error) {
 	fd, err := unix.InotifyInit()
 	if err != nil {
-		return nil, errors.Wrap(err, "unable to init inotify")
+		return nil, fmt.Errorf("unable to init inotify: %w", err)
 	}
 	// watching oom kill
 	evFd, err := unix.InotifyAddWatch(fd, filepath.Join(cgDir, evName), unix.IN_MODIFY)
 	if err != nil {
 		unix.Close(fd)
-		return nil, errors.Wrap(err, "unable to add inotify watch")
+		return nil, fmt.Errorf("unable to add inotify watch: %w", err)
 	}
 	// Because no `unix.IN_DELETE|unix.IN_DELETE_SELF` event for cgroup file system, so watching all process exited
 	cgFd, err := unix.InotifyAddWatch(fd, filepath.Join(cgDir, cgEvName), unix.IN_MODIFY)
 	if err != nil {
 		unix.Close(fd)
-		return nil, errors.Wrap(err, "unable to add inotify watch")
+		return nil, fmt.Errorf("unable to add inotify watch: %w", err)
 	}
 	ch := make(chan struct{})
 	go func() {
diff --git a/libcontainer/seccomp/patchbpf/enosys_linux.go b/libcontainer/seccomp/patchbpf/enosys_linux.go
index 3bd75ac7ed2..ccf929d7219 100644
--- a/libcontainer/seccomp/patchbpf/enosys_linux.go
+++ b/libcontainer/seccomp/patchbpf/enosys_linux.go
@@ -5,19 +5,20 @@ package patchbpf
 import (
 	"bytes"
 	"encoding/binary"
+	"errors"
+	"fmt"
 	"io"
 	"os"
 	"runtime"
 	"unsafe"
 
-	"github.com/opencontainers/runc/libcontainer/configs"
-	"github.com/opencontainers/runc/libcontainer/utils"
-
-	"github.com/pkg/errors"
 	libseccomp "github.com/seccomp/libseccomp-golang"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/net/bpf"
 	"golang.org/x/sys/unix"
+
+	"github.com/opencontainers/runc/libcontainer/configs"
+	"github.com/opencontainers/runc/libcontainer/utils"
 )
 
 // #cgo pkg-config: libseccomp
@@ -91,10 +92,10 @@ loop:
 			}
 			if errors.Is(err, io.ErrUnexpectedEOF) {
 				// Parsing stopped mid-instruction.
-				return nil, errors.Wrap(err, "program parsing halted mid-instruction")
+				return nil, fmt.Errorf("program parsing halted mid-instruction: %w", err)
 			}
 			// All other errors.
-			return nil, errors.Wrap(err, "parsing instructions")
+			return nil, fmt.Errorf("error parsing instructions: %w", err)
 		}
 		program = append(program, bpf.RawInstruction{
 			Op: insn.Code,
@@ -109,7 +110,7 @@ loop:
 func disassembleFilter(filter *libseccomp.ScmpFilter) ([]bpf.Instruction, error) {
 	rdr, wtr, err := os.Pipe()
 	if err != nil {
-		return nil, errors.Wrap(err, "creating scratch pipe")
+		return nil, fmt.Errorf("error creating scratch pipe: %w", err)
 	}
 	defer wtr.Close()
 	defer rdr.Close()
@@ -123,23 +124,23 @@ func disassembleFilter(filter *libseccomp.ScmpFilter) ([]bpf.Instruction, error)
 	}()
 
 	if err := filter.ExportBPF(wtr); err != nil {
-		return nil, errors.Wrap(err, "exporting BPF")
+		return nil, fmt.Errorf("error exporting BPF: %w", err)
 	}
 	// Close so that the reader actually gets EOF.
 	_ = wtr.Close()
 
 	if copyErr := <-errChan; copyErr != nil {
-		return nil, errors.Wrap(copyErr, "reading from ExportBPF pipe")
+		return nil, fmt.Errorf("error reading from ExportBPF pipe: %w", copyErr)
 	}
 
 	// Parse the instructions.
 	rawProgram, err := parseProgram(readerBuffer)
 	if err != nil {
-		return nil, errors.Wrap(err, "parsing generated BPF filter")
+		return nil, fmt.Errorf("parsing generated BPF filter: %w", err)
 	}
 	program, ok := bpf.Disassemble(rawProgram)
 	if !ok {
-		return nil, errors.Errorf("could not disassemble entire BPF filter")
+		return nil, errors.New("could not disassemble entire BPF filter")
 	}
 	return program, nil
 }
@@ -154,7 +155,7 @@ func archToNative(arch libseccomp.ScmpArch) (nativeArch, error) {
 		// Convert to actual native architecture.
 		arch, err := libseccomp.GetNativeArch()
 		if err != nil {
-			return invalidArch, errors.Wrap(err, "get native arch")
+			return invalidArch, fmt.Errorf("unable to get native arch: %w", err)
 		}
 		return archToNative(arch)
 	case libseccomp.ArchX86:
@@ -191,7 +192,7 @@ func archToNative(arch libseccomp.ScmpArch) (nativeArch, error) {
 	case libseccomp.ArchS390X:
 		return nativeArch(C.C_AUDIT_ARCH_S390X), nil
 	default:
-		return invalidArch, errors.Errorf("unknown architecture: %v", arch)
+		return invalidArch, fmt.Errorf("unknown architecture: %v", arch)
 	}
 }
 
@@ -208,7 +209,7 @@ func findLastSyscalls(config *configs.Seccomp) (lastSyscallMap, error) {
 	for _, ociArch := range config.Architectures {
 		arch, err := libseccomp.GetArchFromString(ociArch)
 		if err != nil {
-			return nil, errors.Wrap(err, "validating seccomp architecture")
+			return nil, fmt.Errorf("unable to validate seccomp architecture: %w", err)
 		}
 
 		// Map native architecture to a real architecture value to avoid
@@ -216,7 +217,7 @@ func findLastSyscalls(config *configs.Seccomp) (lastSyscallMap, error) {
 		if arch == libseccomp.ArchNative {
 			nativeArch, err := libseccomp.GetNativeArch()
 			if err != nil {
-				return nil, errors.Wrap(err, "get native arch")
+				return nil, fmt.Errorf("unable to get native architecture: %w", err)
 			}
 			arch = nativeArch
 		}
@@ -224,7 +225,7 @@ func findLastSyscalls(config *configs.Seccomp) (lastSyscallMap, error) {
 		// Figure out native architecture representation of the architecture.
 		nativeArch, err := archToNative(arch)
 		if err != nil {
-			return nil, errors.Wrapf(err, "cannot map architecture %v to AUDIT_ARCH_ constant", arch)
+			return nil, fmt.Errorf("cannot map architecture %v to AUDIT_ARCH_ constant: %w", arch, err)
 		}
 
 		if _, ok := lastSyscalls[nativeArch]; !ok {
@@ -369,7 +370,7 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error)
 						},
 					}, sectionTail...)
 				default:
-					return nil, errors.Errorf("unknown amd64 native architecture %#x", scmpArch)
+					return nil, fmt.Errorf("unknown amd64 native architecture %#x", scmpArch)
 				}
 			}
 
@@ -377,16 +378,16 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error)
 		case 2:
 			// x32 and x86_64 are a unique case, we can't handle any others.
 			if uint32(nativeArch) != uint32(C.C_AUDIT_ARCH_X86_64) {
-				return nil, errors.Errorf("unknown architecture overlap on native arch %#x", nativeArch)
+				return nil, fmt.Errorf("unknown architecture overlap on native arch %#x", nativeArch)
 			}
 
 			x32sysno, ok := maxSyscalls[libseccomp.ArchX32]
 			if !ok {
-				return nil, errors.Errorf("missing %v in overlapping x86_64 arch: %v", libseccomp.ArchX32, maxSyscalls)
+				return nil, fmt.Errorf("missing %v in overlapping x86_64 arch: %v", libseccomp.ArchX32, maxSyscalls)
 			}
 			x86sysno, ok := maxSyscalls[libseccomp.ArchAMD64]
 			if !ok {
-				return nil, errors.Errorf("missing %v in overlapping x86_64 arch: %v", libseccomp.ArchAMD64, maxSyscalls)
+				return nil, fmt.Errorf("missing %v in overlapping x86_64 arch: %v", libseccomp.ArchAMD64, maxSyscalls)
 			}
 
 			// The x32 ABI indicates that a syscall is being made by an x32
@@ -447,7 +448,7 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error)
 				}...)
 			}
 		default:
-			return nil, errors.Errorf("invalid number of architecture overlaps: %v", len(maxSyscalls))
+			return nil, fmt.Errorf("invalid number of architecture overlaps: %v", len(maxSyscalls))
 		}
 
 		// Prepend this section to the tail.
@@ -516,7 +517,7 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error)
 func assemble(program []bpf.Instruction) ([]unix.SockFilter, error) {
 	rawProgram, err := bpf.Assemble(program)
 	if err != nil {
-		return nil, errors.Wrap(err, "assembling program")
+		return nil, fmt.Errorf("error assembling program: %w", err)
 	}
 
 	// Convert to []unix.SockFilter for unix.SockFilter.
@@ -546,11 +547,11 @@ func generatePatch(config *configs.Seccomp) ([]bpf.Instruction, error) {
 
 	lastSyscalls, err := findLastSyscalls(config)
 	if err != nil {
-		return nil, errors.Wrap(err, "finding last syscalls for -ENOSYS stub")
+		return nil, fmt.Errorf("error finding last syscalls for -ENOSYS stub: %w", err)
 	}
 	stubProgram, err := generateEnosysStub(lastSyscalls)
 	if err != nil {
-		return nil, errors.Wrap(err, "generating -ENOSYS stub")
+		return nil, fmt.Errorf("error generating -ENOSYS stub: %w", err)
 	}
 	return stubProgram, nil
 }
@@ -558,12 +559,12 @@ func generatePatch(config *configs.Seccomp) ([]bpf.Instruction, error) {
 func enosysPatchFilter(config *configs.Seccomp, filter *libseccomp.ScmpFilter) ([]unix.SockFilter, error) {
 	program, err := disassembleFilter(filter)
 	if err != nil {
-		return nil, errors.Wrap(err, "disassembling original filter")
+		return nil, fmt.Errorf("error disassembling original filter: %w", err)
 	}
 
 	patch, err := generatePatch(config)
 	if err != nil {
-		return nil, errors.Wrap(err, "generating patch for filter")
+		return nil, fmt.Errorf("error generating patch for filter: %w", err)
 	}
 	fullProgram := append(patch, program...)
 
@@ -575,7 +576,7 @@ func enosysPatchFilter(config *configs.Seccomp, filter *libseccomp.ScmpFilter) (
 
 	fprog, err := assemble(fullProgram)
 	if err != nil {
-		return nil, errors.Wrap(err, "assembling modified filter")
+		return nil, fmt.Errorf("error assembling modified filter: %w", err)
 	}
 	return fprog, nil
 }
@@ -586,12 +587,12 @@ func filterFlags(filter *libseccomp.ScmpFilter) (flags uint, noNewPrivs bool, er
 
 	noNewPrivs, err = filter.GetNoNewPrivsBit()
 	if err != nil {
-		return 0, false, errors.Wrap(err, "fetch no_new_privs filter bit")
+		return 0, false, fmt.Errorf("unable to fetch no_new_privs filter bit: %w", err)
 	}
 
 	if apiLevel >= 3 {
 		if logBit, err := filter.GetLogBit(); err != nil {
-			return 0, false, errors.Wrap(err, "fetch SECCOMP_FILTER_FLAG_LOG bit")
+			return 0, false, fmt.Errorf("unable to fetch SECCOMP_FILTER_FLAG_LOG bit: %w", err)
 		} else if logBit {
 			flags |= uint(C.C_FILTER_FLAG_LOG)
 		}
@@ -633,13 +634,13 @@ func PatchAndLoad(config *configs.Seccomp, filter *libseccomp.ScmpFilter) error
 	// Generate a patched filter.
 	fprog, err := enosysPatchFilter(config, filter)
 	if err != nil {
-		return errors.Wrap(err, "patching filter")
+		return fmt.Errorf("error patching filter: %w", err)
 	}
 
 	// Get the set of libseccomp flags set.
 	seccompFlags, noNewPrivs, err := filterFlags(filter)
 	if err != nil {
-		return errors.Wrap(err, "fetch seccomp filter flags")
+		return fmt.Errorf("unable to fetch seccomp filter flags: %w", err)
 	}
 
 	// Set no_new_privs if it was requested, though in runc we handle
@@ -647,13 +648,13 @@ func PatchAndLoad(config *configs.Seccomp, filter *libseccomp.ScmpFilter) error
 	if noNewPrivs {
 		logrus.Warnf("potentially misconfigured filter -- setting no_new_privs in seccomp path")
 		if err := unix.Prctl(unix.PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil {
-			return errors.Wrap(err, "enable no_new_privs bit")
+			return fmt.Errorf("error enabling no_new_privs bit: %w", err)
 		}
 	}
 
 	// Finally, load the filter.
 	if err := sysSeccompSetFilter(seccompFlags, fprog); err != nil {
-		return errors.Wrap(err, "loading seccomp filter")
+		return fmt.Errorf("error loading seccomp filter: %w", err)
 	}
 	return nil
 }
diff --git a/libcontainer/setns_init_linux.go b/libcontainer/setns_init_linux.go
index 1feb67d0415..ca623e4bbe7 100644
--- a/libcontainer/setns_init_linux.go
+++ b/libcontainer/setns_init_linux.go
@@ -3,17 +3,19 @@
 package libcontainer
 
 import (
+	"errors"
+	"fmt"
 	"os"
 	"runtime"
 
+	"github.com/opencontainers/selinux/go-selinux"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
+
 	"github.com/opencontainers/runc/libcontainer/apparmor"
 	"github.com/opencontainers/runc/libcontainer/keys"
 	"github.com/opencontainers/runc/libcontainer/seccomp"
 	"github.com/opencontainers/runc/libcontainer/system"
-	"github.com/opencontainers/selinux/go-selinux"
-	"github.com/pkg/errors"
-	"github.com/sirupsen/logrus"
-	"golang.org/x/sys/unix"
 )
 
 // linuxSetnsInit performs the container's initialization for running a new process
@@ -45,7 +47,7 @@ func (l *linuxSetnsInit) Init() error {
 			//
 			// TODO(cyphar): And we should have logging here too.
 			if !errors.Is(err, unix.ENOSYS) {
-				return errors.Wrap(err, "join session keyring")
+				return fmt.Errorf("unable to join session keyring: %w", err)
 			}
 		}
 	}
diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
index 7b2986c5a92..ce9117fa266 100644
--- a/libcontainer/standard_init_linux.go
+++ b/libcontainer/standard_init_linux.go
@@ -3,21 +3,23 @@
 package libcontainer
 
 import (
+	"errors"
+	"fmt"
 	"os"
 	"os/exec"
 	"runtime"
 	"strconv"
 
+	"github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/opencontainers/selinux/go-selinux"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
+
 	"github.com/opencontainers/runc/libcontainer/apparmor"
 	"github.com/opencontainers/runc/libcontainer/configs"
 	"github.com/opencontainers/runc/libcontainer/keys"
 	"github.com/opencontainers/runc/libcontainer/seccomp"
 	"github.com/opencontainers/runc/libcontainer/system"
-	"github.com/opencontainers/runtime-spec/specs-go"
-	"github.com/opencontainers/selinux/go-selinux"
-	"github.com/pkg/errors"
-	"github.com/sirupsen/logrus"
-	"golang.org/x/sys/unix"
 )
 
 type linuxStandardInit struct {
@@ -66,14 +68,14 @@ func (l *linuxStandardInit) Init() error {
 			// TODO(cyphar): Log this so people know what's going on, once we
 			//               have proper logging in 'runc init'.
 			if !errors.Is(err, unix.ENOSYS) {
-				return errors.Wrap(err, "join session keyring")
+				return fmt.Errorf("unable to join session keyring: %w", err)
 			}
 		} else {
 			// Make session keyring searcheable. If we've gotten this far we
 			// bail on any error -- we don't want to have a keyring with bad
 			// permissions.
 			if err := keys.ModKeyringPerm(sessKeyId, keepperms, newperms); err != nil {
-				return errors.Wrap(err, "mod keyring permissions")
+				return fmt.Errorf("unable to mod keyring permissions: %w", err)
 			}
 		}
 	}
@@ -98,7 +100,7 @@ func (l *linuxStandardInit) Init() error {
 			return err
 		}
 		if err := system.Setctty(); err != nil {
-			return errors.Wrap(err, "setctty")
+			return &os.SyscallError{Syscall: "ioctl(setctty)", Err: err}
 		}
 	}
 
@@ -111,45 +113,45 @@ func (l *linuxStandardInit) Init() error {
 
 	if hostname := l.config.Config.Hostname; hostname != "" {
 		if err := unix.Sethostname([]byte(hostname)); err != nil {
-			return errors.Wrap(err, "sethostname")
+			return &os.SyscallError{Syscall: "sethostname", Err: err}
 		}
 	}
 	if err := apparmor.ApplyProfile(l.config.AppArmorProfile); err != nil {
-		return errors.Wrap(err, "apply apparmor profile")
+		return fmt.Errorf("unable to apply apparmor profile: %w", err)
 	}
 
 	for key, value := range l.config.Config.Sysctl {
 		if err := writeSystemProperty(key, value); err != nil {
-			return errors.Wrapf(err, "write sysctl key %s", key)
+			return err
 		}
 	}
 	for _, path := range l.config.Config.ReadonlyPaths {
 		if err := readonlyPath(path); err != nil {
-			return errors.Wrapf(err, "readonly path %s", path)
+			return fmt.Errorf("can't make %q read-only: %w", path, err)
 		}
 	}
 	for _, path := range l.config.Config.MaskPaths {
 		if err := maskPath(path, l.config.Config.MountLabel); err != nil {
-			return errors.Wrapf(err, "mask path %s", path)
+			return fmt.Errorf("can't mask path %s: %w", path, err)
 		}
 	}
 	pdeath, err := system.GetParentDeathSignal()
 	if err != nil {
-		return errors.Wrap(err, "get pdeath signal")
+		return fmt.Errorf("can't get pdeath signal: %w", err)
 	}
 	if l.config.NoNewPrivileges {
 		if err := unix.Prctl(unix.PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil {
-			return errors.Wrap(err, "set nonewprivileges")
+			return &os.SyscallError{Syscall: "prctl(SET_NO_NEW_PRIVS)", Err: err}
 		}
 	}
 	// Tell our parent that we're ready to Execv. This must be done before the
 	// Seccomp rules have been applied, because we need to be able to read and
 	// write to a socket.
 	if err := syncParentReady(l.pipe); err != nil {
-		return errors.Wrap(err, "sync ready")
+		return fmt.Errorf("sync ready: %w", err)
 	}
 	if err := selinux.SetExecLabel(l.config.ProcessLabel); err != nil {
-		return errors.Wrap(err, "set process label")
+		return fmt.Errorf("can't set process label: %w", err)
 	}
 	defer selinux.SetExecLabel("") //nolint: errcheck
 	// Without NoNewPrivileges seccomp is a privileged operation, so we need to
@@ -166,7 +168,7 @@ func (l *linuxStandardInit) Init() error {
 	// finalizeNamespace can change user/group which clears the parent death
 	// signal, so we restore it here.
 	if err := pdeath.Restore(); err != nil {
-		return errors.Wrap(err, "restore pdeath signal")
+		return fmt.Errorf("can't restore pdeath signal: %w", err)
 	}
 	// Compare the parent from the initial start of the init process and make
 	// sure that it did not change.  if the parent changes that means it died
diff --git a/utils.go b/utils.go
index f3244a497b8..2809c3df8ab 100644
--- a/utils.go
+++ b/utils.go
@@ -55,8 +55,6 @@ func logrusToStderr() bool {
 func fatal(err error) {
 	// make sure the error is written to the logger
 	logrus.Error(err)
-	// If debug is enabled and pkg/errors was used, show its stack trace.
-	logrus.Debugf("%+v", err)
 	if !logrusToStderr() {
 		fmt.Fprintln(os.Stderr, err)
 	}
diff --git a/utils_linux.go b/utils_linux.go
index 4cfe882858a..8b8d9e57eaf 100644
--- a/utils_linux.go
+++ b/utils_linux.go
@@ -3,6 +3,7 @@
 package main
 
 import (
+	"errors"
 	"fmt"
 	"net"
 	"os"
@@ -10,19 +11,18 @@ import (
 	"path/filepath"
 	"strconv"
 
-	"github.com/opencontainers/runc/libcontainer"
-	"github.com/opencontainers/runc/libcontainer/cgroups/systemd"
-	"github.com/opencontainers/runc/libcontainer/configs"
-	"github.com/opencontainers/runc/libcontainer/specconv"
-	"github.com/opencontainers/runc/libcontainer/utils"
+	"github.com/coreos/go-systemd/v22/activation"
 	"github.com/opencontainers/runtime-spec/specs-go"
 	selinux "github.com/opencontainers/selinux/go-selinux"
-
-	"github.com/coreos/go-systemd/v22/activation"
-	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli"
 	"golang.org/x/sys/unix"
+
+	"github.com/opencontainers/runc/libcontainer"
+	"github.com/opencontainers/runc/libcontainer/cgroups/systemd"
+	"github.com/opencontainers/runc/libcontainer/configs"
+	"github.com/opencontainers/runc/libcontainer/specconv"
+	"github.com/opencontainers/runc/libcontainer/utils"
 )
 
 var errEmptyID = errors.New("container id cannot be empty")
@@ -284,7 +284,7 @@ func (r *runner) run(config *specs.Process) (int, error) {
 	for i := baseFd; i < baseFd+r.preserveFDs; i++ {
 		_, err = os.Stat("/proc/self/fd/" + strconv.Itoa(i))
 		if err != nil {
-			return -1, errors.Wrapf(err, "please check that preserved-fd %d (of %d) is present", i-baseFd, r.preserveFDs)
+			return -1, fmt.Errorf("unable to stat preserved-fd %d (of %d): %w", i-baseFd, r.preserveFDs, err)
 		}
 		process.ExtraFiles = append(process.ExtraFiles, os.NewFile(uintptr(i), "PreserveFD:"+strconv.Itoa(i)))
 	}